Malware has been spreading through Steam Workshop since late 2025 by hiding inside Wallpaper Engine wallpaper packages, turning a feature built for animated desktops into a route to stolen Steam accounts. The campaign was aimed mainly at gamers in China and Russia, and dozens of infected wallpapers had already been downloaded thousands or even tens of thousands of times.
That spread matters because Wallpaper Engine is not a niche tool. It has about 100,000 daily active users and nearly a million reviews, and its Workshop system lets anyone publish a wallpaper for others to download and install for free. On paper, the files looked like ordinary community creations. In practice, the attackers were using application wallpapers, which can run as standalone programs and execute foreign code directly on a computer.
The malicious packages were found in Steam Workshop as application wallpapers, the kind that can be mini-games, planners, calendars, system monitors, or widgets that track CPU or GPU usage. Once a compromised wallpaper launched, the damage could move fast. Within minutes, a victim might see a Steam account hijacked, a machine crippled by malware, files encrypted by ransomware, or performance dragged down by a hidden crypto miner.
One wallpaper sample uncovered in December 2025 showed how deceptive the setup could be. It looked harmless, booted flawlessly, ran smoothly, and left the desktop controls working exactly as expected. That made the infection harder to spot, not easier. The wallpaper quietly dropped a backdoor file called Synaptics.exe, then used an executable named._cache_GAME1.exe to start the actual game, NTRaholic, while also installing a custom version of AggregatorHost.dll carrying the payload.
From there, the modified DLL searched the computer for Steam, hunted for account credentials, hijacked the user’s live session, and sent the collected data to a server controlled by the hackers. The result was not just a trick wallpaper but a working theft chain hidden inside something that appeared to launch normally. The unresolved question is how dozens of these packages stayed on Steam Workshop long enough to rack up so many downloads before the abuse was stopped.
The campaign shows why application wallpapers are a sharp edge inside Wallpaper Engine: they are effectively small programs, and in the wrong hands they can run foreign code with very little warning. For now, the clearest signal is the one already visible in the numbers — a large Steam Workshop audience, a fast-moving malware operation, and a distribution system that helped the files spread far beyond the first target set.
